Dashboards & Visualizations

Splunk Visualization Help

dvazquez1980
Explorer

I am trying to create a simple dashboard to track active site using a query like the one below. The query works and returns values but my supervisor has asked me now to add background color to the values in the dashboard. The query below basically checks to see if a service is running on a set of servers. If the service is running on server A it returns Town Name 1, if it is running on server B it returns Town Name 2. If neither is found it returns "Down". I have tried using Single Value visualization and Status Indicator Visualization but both require a numeric value to use the OTB color formatting.

How can i get the background color to change based off the text values Town1, Town2, and Down?

index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down")) | dedup Site | table Site

Labels (1)
Tags (2)
0 Karma
1 Solution

dvazquez1980
Explorer

This is what i ended up doing. Using the Single Value visualization.

index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down"))
| eval range=if(Site=="Town1", "high", if(Site=="Town2","guarded","severe"))
| dedup Site

Then editing the xml as follows:

<earliest>-24h@h</earliest>
         <latest>now</latest>
         <sampleRatio>1</sampleRatio>
       </search>
       <option name="colorMode">block</option>
       <option name="field">Site</option>
       <option name="charting.fieldColors"></option>
     </single>    </panel>

View solution in original post

0 Karma

dvazquez1980
Explorer

This is what i ended up doing. Using the Single Value visualization.

index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down"))
| eval range=if(Site=="Town1", "high", if(Site=="Town2","guarded","severe"))
| dedup Site

Then editing the xml as follows:

<earliest>-24h@h</earliest>
         <latest>now</latest>
         <sampleRatio>1</sampleRatio>
       </search>
       <option name="colorMode">block</option>
       <option name="field">Site</option>
       <option name="charting.fieldColors"></option>
     </single>    </panel>
0 Karma

dvazquez1980
Explorer

Thanks Rich...The problem with the table visualization is the size of the text. The single value and Status Indicator Visualizations have a aesthetic we are looking for. The dashboards are posted on tv screens and are meant to be read from a distance.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you use the Table visualization you can set colors based on text values. Edit the dashboard and click the pencil icon in the column to be colored. Turn on colors and select "values". Click the "Define rules" button and fill in the value and associated color. Add more rules as necessary.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...